{
    "slug": "dynamic_analysis",
    "term": "Dynamic Analysis (DAST)",
    "category": "general",
    "difficulty": "intermediate",
    "short": "Testing a running application by sending crafted inputs to discover vulnerabilities that only manifest at runtime.",
    "long": "Dynamic Application Security Testing (DAST) attacks a live application from the outside, simulating real attack traffic without access to source code. Tools like OWASP ZAP and Burp Suite automate scanning for XSS, SQL injection, CSRF, open redirects, and misconfigurations. DAST finds vulnerabilities that static analysis misses (runtime configuration, third-party component behaviour) but has blind spots (complex business logic, authenticated workflows with state). Use DAST in combination with SAST (static) and manual penetration testing for comprehensive coverage.",
    "aliases": [
        "DAST",
        "dynamic application security testing",
        "runtime analysis"
    ],
    "tags": [
        "general",
        "security",
        "testing",
        "tools"
    ],
    "misconception": "Static analysis and dynamic analysis are interchangeable security testing approaches. Static analysis inspects code without running it — fast, integrated into CI. Dynamic analysis tests the running application — finds runtime vulnerabilities like authentication bypasses and injection flaws that static analysis cannot detect.",
    "why_it_matters": "Dynamic analysis finds bugs that only manifest at runtime — security vulnerabilities, race conditions, and performance issues that static analysis cannot detect without executing the code.",
    "common_mistakes": [
        "Relying solely on static analysis and missing runtime-only vulnerabilities.",
        "Dynamic analysis only in development — production-like load and data is needed to surface real issues.",
        "Not using fuzzing for input-handling code — fuzzers find edge cases that manual testing misses.",
        "Ignoring Xdebug's coverage mode for identifying untested code paths."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "static_analysis",
        "penetration_testing",
        "threat_modelling"
    ],
    "prerequisites": [
        "static_analysis",
        "xdebug",
        "profiling"
    ],
    "refs": [
        "https://owasp.org/www-project-zap/",
        "https://owasp.org/www-community/Fuzzing"
    ],
    "bad_code": "// Static analysis passes — dynamic analysis catches the bug:\nfunction divide(int $a, int $b): float {\n    return $a / $b; // Static analysis: types look fine\n    // Dynamic analysis with input (1, 0): DivisionByZeroError at runtime\n}",
    "good_code": "// Dynamic analysis — finds bugs by running the code\n\n// Xdebug — code coverage + step debugging\n$ XDEBUG_MODE=coverage vendor/bin/phpunit --coverage-html=coverage/\n\n// OWASP ZAP — automated web vulnerability scanner\n$ docker run -t owasp/zap2docker-stable zap-baseline.py -t https://staging.yourapp.com\n\n// Infection — mutation testing (tests the quality of your tests)\n$ vendor/bin/infection --threads=4\n// Creates mutations (e.g. changes == to !=) — your tests should catch them\n// MSI (Mutation Score Indicator) > 80% = good test quality\n\n// Blackfire — performance profiling\n$ blackfire run php script.php\n\n// Valgrind-equivalent for PHP memory:\n$ php -d memory_limit=-1 -r 'require \"script.php\";' 2>&1 | grep 'memory'",
    "quick_fix": "Run your test suite with Xdebug code coverage to find untested paths; use DAST tools like OWASP ZAP against staging to find runtime security issues that static analysis misses",
    "severity": "medium",
    "effort": "medium",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/dynamic_analysis",
        "html_url": "https://codeclaritylab.com/glossary/dynamic_analysis",
        "json_url": "https://codeclaritylab.com/glossary/dynamic_analysis.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Dynamic Analysis (DAST)](https://codeclaritylab.com/glossary/dynamic_analysis) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/dynamic_analysis"
            }
        }
    }
}